Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 03:48

General

  • Target

    0x000700000002320d-976.exe

  • Size

    1.6MB

  • MD5

    32482344f0d985670f8d87c463d732c4

  • SHA1

    9653d6f4282f0aaa0e22d454a72264f3287a1dfd

  • SHA256

    8bea801f9e9bb34de95156473919afb32a4a813b81c61b1e20374c5ab0ff010a

  • SHA512

    6060807aca6cd7dd996b46e20ac2e7c8a527f61b45880afd26fdcab736c1203e8903865e41e635bf8083c0ddc981e7e121773616c19aec03e3ca3ff5548ee7c4

  • SSDEEP

    49152:vkTq24GjdGSiqkqXfd+/9AqYanieKdsG:v1EjdGSiqkqXf0FLYW

Malware Config

Extracted

Family

stealerium

C2

https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000700000002320d-976.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000700000002320d-976.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1620
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:3264
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:3588
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:1980
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 2764
            2⤵
            • Program crash
            PID:3964
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2760
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:1976
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:224
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1620 -ip 1620
              1⤵
                PID:1272
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3612

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Browsers\Firefox\Bookmarks.txt

                Filesize

                105B

                MD5

                2e9d094dda5cdc3ce6519f75943a4ff4

                SHA1

                5d989b4ac8b699781681fe75ed9ef98191a5096c

                SHA256

                c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                SHA512

                d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

              • memory/1620-8-0x0000000006400000-0x0000000006408000-memory.dmp

                Filesize

                32KB

              • memory/1620-2-0x0000000005AD0000-0x0000000005B36000-memory.dmp

                Filesize

                408KB

              • memory/1620-3-0x0000000005A50000-0x0000000005A60000-memory.dmp

                Filesize

                64KB

              • memory/1620-6-0x0000000006340000-0x00000000063D2000-memory.dmp

                Filesize

                584KB

              • memory/1620-7-0x00000000063D0000-0x00000000063F6000-memory.dmp

                Filesize

                152KB

              • memory/1620-0-0x0000000000FD0000-0x0000000001162000-memory.dmp

                Filesize

                1.6MB

              • memory/1620-9-0x0000000007380000-0x000000000738A000-memory.dmp

                Filesize

                40KB

              • memory/1620-10-0x0000000007390000-0x0000000007398000-memory.dmp

                Filesize

                32KB

              • memory/1620-11-0x00000000073B0000-0x00000000073CE000-memory.dmp

                Filesize

                120KB

              • memory/1620-1-0x0000000074FD0000-0x0000000075780000-memory.dmp

                Filesize

                7.7MB

              • memory/1620-68-0x00000000075F0000-0x0000000007682000-memory.dmp

                Filesize

                584KB

              • memory/1620-74-0x0000000008250000-0x00000000087F4000-memory.dmp

                Filesize

                5.6MB

              • memory/1620-82-0x0000000074FD0000-0x0000000075780000-memory.dmp

                Filesize

                7.7MB